Threat fatigue and the failure of cybersecurity
There was a recent U.S. National Institute of Standards and Technology (NIST) study titled “Security Fatigue” that was released regarding people's experiences with online security. Though it had what we would consider too small a sample size to have statistically significant results, we did agree with many of its findings regarding the cybersecurity attitudes of people globally.
There is a form of growing desensitisation to the daily reports of cyber hacks and threats to the degree where some have begun to wonder just what is the point of cybersecurity practice at all. We already find anger and frustration with users when security teams become “Dr. No” to every project because of the security controls required.
Then when the controls are put in place, they are awkward to use and hard to understand. Customers become angry with the countless passwords that must be remembered or the apps that must be run to get additional authentication factors.
“User-friendly” and “security procedure” are mutually exclusive phrases for many, and this only adds to the perception that security is just a hassle. Once you add the results of cyber attacks reported in the media and our apparent inability to stop them, an opinion begins to evolve among many.
People and organisations see what's happening when cyber compromises occur, know friends that had it happen to them, see companies that take a whack and keep on ticking, sigh and say “it's just a part of everyday life now, let it go”. If they're really clever, maybe in the process they even create a new way to make money from this attitude, such as cyber-insurance.
This is the same position that even very intelligent engineers who (for example) build power networks and transportation systems have. Many of those engineers believe that they've engineered enough protected redundancy into their systems that they don't need the hassle and instability that adding security controls brings to the systems, that applying technologies for these controls destabilises reliability anyway when you try to integrate it with current production and operations of those systems.
I wonder if even the “Event” would change this: a nuclear-level incident that so disables a company (remember Sony?) or an infrastructure (remember Saudi Aramco?) or society (hypothetical devastating week-long attack on Facebook) that it changes behaviour, attracts regulation, and changes society as we know it.
When it comes to cyber technology, it appears that we are a reactionary society. This may be due in large part to the calculus of risk, reward and cost. We play out a vast poker game in business and society whereby we know (or think we know) the odds but call the hand anyway.
This strategy is actually not a bad one in a free enterprise market– as long as you have all of the data you need to make a good decision about the risk vs. the reward. I fear that we aren't doing enough to have that data available to make the right decision about what poker hand to play.
I also believe that we don't perform the “minimum acceptable standard” for cybersecurity that would help us avoid so many of these incidents, even though history proves time and time again the vast majority of attacks were due to stupid oversights, easily corrected.
This is a cynical view of the role of cybersecurity, but when year after year the hacks persist and grow, when we fail to match the quality and scale of attacks perpetrated on our systems and people, when we make only modest strides in maturity and usability of software and services that are supposed to provide safer and more secure businesses and lives, it isn't hard to understand why this cynicism exists.
A culture that consumes significant technology appears to have found the rightful place of security in their attitudes, behaviours and norms, and that isn't at the centre, or integrated, but at the margins or not at all. From this perspective, cyber threats are noted, and in some cases where there are considerable risks to profit (in the form of loss of money, identity, intellectual property or production) some steps are taken, but those cases are exceptions more than the rule.
Things have “gotten better” from a security point of view over time as companies show more maturity and improve their security stance, but it is slow, slower than it should be when compared to the pace of innovation and change.
The evidence that threats or impacts are greater doesn't appear to be compelling, or compelling enough to average citizens and even savvy businesses, not compelling enough to alter the poker playing habits still underway today. We'll see in time if we overplayed our hand.